Pass data between local & remote sites

I have a MQTT Mosquitto server running on a Raspberry Pi, and it receives local energy data every 5 seconds, along with other MQTT data - switches, environmental data etc.
Currently, the same Pi processes the data in node-RED, and publishes it in a NR dashboard & Grafana.

However, I've also setup node-RED in a Oracle VM, and considering processing/displaying the data in the VM instance instead of my local Pi.

What would be the best way to securely/efficiently get the data to the VM from my local Pi, and get data back from the VM to my local Pi?

  • MQTT using SSL/TLS
  • MQTT over websockets
  • Websockets
  • Something else

I've no experience of doing any of the above, and I've a feeling that this is going to be a learning curve!!

"Best" way is probably push MQTT over TLS.

"Easiest" way likely to be using Node-RED to replicate messages to the remote broker. You would also want TLS for that too though unless you are using a secure connection to the VPS (an SSH tunnel for example).

Best security is to ensure that you are only ever pushing data to the VPS & that the VPS has no way to send data back the other way.

That leaves me with a bit of a problem because both sites are proxied by Cloudflare, and port 1883 is permenantly closed.
I've read a number of previous posts about this, but not really seen a viable solution.

One suggestion made was to use MQTT over websockets, but I've found little information about this, let alone a NR example flow to work from. Also is this a resource hungry approach?

Another mentioned creating a sub-domain, and 'greying out' (removing) the cloudflare proxy from the sub-domain, so port 1883 would then be open for the sub-domain url.
However, just tried that, and cloudflare reported that I was exposing my main domain, as proxied & non-proxied traffic was being directed to the same server IP.

I believe that the "proper" way Cloudflare want you to use is their Spectrum tool which is part of their Enterprise plan so out of reach for most of us.

I think that you have to do one of the things you've mentioned. I'm not aware of any issues regarding performance mqtt over websockets though it is true that it does add an additional wrapper so the packets must be a little larger.

Not sure about the warning - that approach is recommended by Cloudflare themselves for allowing traffic to SSH for example.

Either way, make sure that you are only using TLS encrypted connections of course.

Anyone got an example flow, or any pointers for setting up MQTT over Websockets?

I don't think it's covered in the node-RED guides or forum.
Is it achieved by feeding the output from a MQTT 'in' node into a Websocket 'out' node, and vice-versa?
No laughing now :sweat:

To configure the mqtt nodes to use websockets, set the broker URL to ws://<broker-ip>/<path> (or wss://... to use TLS)


I'm still failing miserably trying to get MQTT over websockets to work!
I have 2 servers; &, one is on a local RP & the other a Oracle VM. Both have very simple flows;

I have not setup TLS security for the websocket connection yet, and therefore have set up the MQTT node server details like this;


I have setup the topic, no Retain, 0 QoS, and have used ws:// in the site, and vice versa in the site, but they never connect, and the NR log shows 3 Nov 20:00:36 - [info] [mqtt-broker:bea3f71.9ee2608] Connection failed to broker: ws://

I have searched here & google, but can't find a similar example to follow. Any advice please?

Where are you running the mqtt broker?

On but I can't see where the broker comes into play?

The MQTT nodes have to connect to the same broker, but you seem to have configured the nodes to connect to brokers on the opposite machine.

I thought that they were connected by websockets, not by the mqtt server?
Sorry if I'm being a bit slow....

Websockets is an option for how the mqtt nodes connect to the broker, at least that is how I understood it. The mqtt nodes don't talk directly to each other, each one talks to the broker.

IIRC - you have to stick the port number in the server name for some reason
try using ws:// (or whatever port your broker is using for websockets)

Well if I set the server as ws:// - which is the site containing the Mosquitto broker, it still does not connect.

I tried ws:// but it made no difference...

Your broker won't be using 1883 for websockets - default mosquitto is to use 9001 but in this example, the broker uses 8080

PS have you configured your broker to use websockets? They don't tend to be pre-configured for them out-of-the-box

Also I would try getting it going with websockets using a broker on localhost first.

Erm, no!
Is that in mosquitto.conf?



Why not use ZeroTier and install it on both ends - it is essentially setting up a simple VPN for you